cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1276
Views
0
Helpful
18
Replies

Unable to ping router's interface from ASA

kc1978
Beginner
Beginner

I have an ASA that is situated behind a cisco router and I'm unable to ping the router's interface that is on the same subnet as the outside interface of the ASA. I can ping the router's interface from the same switch that the ASA is connected. Wireshark on the router's switchport shows arp query but no reply from either the router or the ASA. Here is the config of the ASA and the router.  Just want to see if someone could help in letting me know what I'm missing.  Thanks

 

ASA Version 9.3(1) 

!

hostname guinep1

domain-name 

enable password encrypted

names

!

interface GigabitEthernet0/0

 speed 1000

 duplex full

 nameif outside

 security-level 0

 ip address 192.168.29.4 255.255.255.240 

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.45.196 255.255.255.0 

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 security-level 0

 no ip address

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/5

 shutdown

 no nameif

 no security-level

 no ip address

!             

interface GigabitEthernet0/6

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/7

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/8

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 management-only

 shutdown

 nameif management

 security-level 100

 no ip address

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name 

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network inside-net

 subnet 192.168.45.0 255.255.255.0

object network obj-192.168.45.0

 subnet 192.168.45.0 255.255.255.0

object-group network obj-inside-net

 description Inside Networks

 network-object 192.168.20.0 255.255.255.0

 network-object 192.168.25.0 255.255.255.0

 network-object 192.168.35.0 255.255.255.0

 network-object 192.168.37.0 255.255.255.0

 network-object 192.168.45.0 255.255.255.0

pager lines 23

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.29.0 255.255.255.240 outside

asdm image disk0:/asdm-742.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

route outside 0.0.0.0 0.0.0.0 192.168.29.1 1

route inside 192.168.20.0 255.255.255.0 192.168.45.1 1

route inside 192.168.25.0 255.255.255.0 192.168.45.1 1

route inside 192.168.37.0 255.255.255.0 192.168.45.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

http server enable

http 192.168.20.0 255.255.255.0 inside

http 192.168.25.0 255.255.255.0 inside

http 192.168.37.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

no ssh stricthostkeycheck

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

username password  encrypted privilege 15

!

class-map class_default

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect rtsp 

  inspect sunrpc 

  inspect xdmcp 

  inspect netbios 

  inspect tftp 

  inspect ip-options 

  inspect icmp 

  inspect icmp error 

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect esmtp 

  inspect sqlnet 

  inspect sip  

  inspect skinny  

 class class-default

  set connection decrement-ttl

!

service-policy global_policy global

prompt hostname context 

no call-home reporting anonymous

Cryptochecksum:05f2fcabf2b29546da648900fbcc1cca

: end

 

 

 

 

 

 

 

ROUTER

router#sh run

Building configuration...

 

 

Current configuration : 6030 bytes

!

! Last configuration change at 10:49:25 EDT Wed May 27 2015 by 

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname router

!

boot-start-marker

boot system flash:c3825-adventerprisek9-mz.151-4.M9.bin

 

interface GigabitEthernet0/0

 description $FW_OUTSIDE$$ETH-WAN$

 ip dhcp relay information trusted

 ip address dhcp client-id GigabitEthernet0/0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto

 media-type rj45

 no cdp enable

!

interface GigabitEthernet0/1

 description $ETH-LAN$$FW_INSIDE$

 no ip address

 no ip unreachables

 no ip proxy-arp

 duplex full

 speed 1000

 media-type rj45

 no mop enabled

!

interface GigabitEthernet0/1.29

 encapsulation dot1Q 29

 ip address 192.168.29.1 255.255.255.240

 ip nat inside

 ip virtual-reassembly in

!

interface FastEthernet1/0

 no ip address

 duplex full

 speed auto

!

interface FastEthernet1/0.35

 encapsulation dot1Q 35

 ip address 192.168.35.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

!

interface FastEthernet1/0.37

 encapsulation dot1Q 37

 ip address 192.168.37.16 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

!

interface FastEthernet1/0.45

 encapsulation dot1Q 45

 ip address 192.168.45.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

!

interface FastEthernet1/1

 no ip address

 shutdown

 duplex auto

 speed auto

!

!

router eigrp 37

 network 192.168.0.0 0.0.255.255

 passive-interface GigabitEthernet0/0

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source static udp 192.168.29.4 500 interface GigabitEthernet0/0 500

ip nat inside source static udp 192.168.29.4 4500 interface GigabitEthernet0/0 4500

ip nat inside source static esp 192.168.29.4 interface GigabitEthernet0/0

!

logging trap notifications

logging facility local6

logging 192.168.37.185

access-list 1 permit 192.168.29.0 0.0.0.15

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 1 permit 192.168.25.0 0.0.0.255

access-list 1 permit 192.168.35.0 0.0.0.255

access-list 1 permit 192.168.37.0 0.0.0.255

access-list 1 permit 192.168.45.0 0.0.0.255

access-list 1 remark SDM_ACL Category=2

access-list 111 permit icmp host 192.168.29.1 host 192.168.29.5

access-list 111 permit icmp host 192.168.29.1 host 192.168.29.4

access-list 111 permit icmp host 192.168.35.12 host 192.168.29.1

!

router#

18 Replies 18

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

So the port on the switch connected to the router is configured as a trunk ?

And the port the firewall connects to on the switch is in vlan 29 ?

And the native vlan on the trunk is not vlan 29 ?

Jon

Hi Jon,

 

So the port on the switch connected to the router is configured as a trunk ?   ---- Yes

And the port the firewall connects to on the switch is in vlan 29 ?   ---- This is a trunk port

And the native vlan on the trunk is not vlan 29 ?   Native vlan 29 is not configured on the ports

 

Thanks

 

Hi Jon,

Here are the interface configs:

 

interface GigabitEthernet1/0/2

 description Router interface

 switchport access vlan 29

 switchport trunk encapsulation dot1q

 switchport mode trunk

 switchport nonegotiate

 spanning-tree portfast trunk

 

 

interface GigabitEthernet1/0/13

 description ASA outside

 switchport trunk encapsulation dot1q

 switchport mode trunk

 speed 1000

 duplex full

 spanning-tree portfast

 

 

interface GigabitEthernet1/0/14

 description ASA inside

 switchport access vlan 45

 switchport mode access

 speed 1000

 duplex full

 spanning-tree portfast

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

Your connection to the ASA outside interface is configured as a trunk but your ASA is not using subinterfaces.

The ASA will not be sending tagged packets to the switch.

Can you -

1) on the switch router port remove "switchport access vlan 29" ie. it is either an access port or a trunk port, not both, and it is meant to be a trunk port.

It should work as is but it is better to only have the configuration you need in there.

2) on the switch ASA port change it from a trunk to an access port ie. -

switchport mode access
switchport access vlan 29

Jon

Hi Jon,

I made the changes but I'm still having the same issue:

Broadcast    ARP    60    Who has 192.168.29.4?  Tell 192.168.29.1

 

Thanks

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

Can you post a "sh int trunk" from the switch ?

Jon

Hi Jon,

Here is the result of the command:

 

Switch#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi1/0/1     on               802.1q         trunking      1
Gi1/0/2     on               802.1q         trunking      1
Gi1/0/10    on               802.1q         trunking      1
Gi1/0/11    on               802.1q         trunking      1
Gi1/0/15    on               802.1q         trunking      1
Gi1/0/26    on               802.1q         trunking      1
Gi1/0/28    on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/0/1     1-4094
Gi1/0/2     1-4094
Gi1/0/10    1-4094
Gi1/0/11    20,25,29,37
Gi1/0/15    1-4094
Gi1/0/26    20,25,37
Gi1/0/28    1-4094

Port        Vlans allowed and active in management domain
Gi1/0/1     1,15,20,25,29-30,35,37,45
Gi1/0/2     1,15,20,25,29-30,35,37,45
Gi1/0/10    1,15,20,25,29-30,35,37,45
Gi1/0/11    20,25,29,37
Gi1/0/15    1,15,20,25,29-30,35,37,45
Gi1/0/26    20,25,37
Gi1/0/28    1,15,20,25,29-30,35,37,45

Port        Vlans in spanning tree forwarding state and not pruned
          
Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/1     1,15,20,25,29-30,35,37,45
Gi1/0/2     1,15,20,25,29-30,35,37,45
Gi1/0/10    1,15,20,25,29-30,35,37,45
Gi1/0/11    20,25,29,37
Gi1/0/15    1,15,20,25,29-30,35,37,45
Gi1/0/26    20,25,37
Gi1/0/28    1,15,20,25,29-30,35,37,45
Switch# 

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

The switch configuration looks okay from what I can see.

Are both interfaces ie. the ASA outside and the port on the switch it connects to in the up/up state ?

Jon

They are up/up state.

This is driving me crazy for a week because I don't see why there is an issue.  To make sure there is nothing wrong, I connected a laptop to the same port as the "outside" interface and configured it with a vlan 29 ip address and I was able to ping the interface of the router. I can also ping it from the switch, so I'm a little confused. The other info that I get from the arp debug on the ASA is this:

arp-in: request at inside from 192.168.29.4 0050.56ac.aede for 192.168.29.1 0000.0000.0000 having smac 0050.56ac.aede dmac ffff.ffff.ffff

arp-in: Arp packet received from 192.168.29.4 which is in different subnet than the connected interface 192.168.45.196/255.255.255.0

arp-send: arp request built from 192.168.29.4 0050.56ac.aede for 192.168.29.1 at 123975080

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

When did you do the laptop test because if the port was configured as a trunk port it should not have worked.

Can you post a "sh vlan brief" from the switch ?

Jon

No, I had it configured as an "access" port for the laptop.

 

Switch#sh vlan brief 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi1/0/21, Gi1/0/22, Gi1/0/23, Gi1/0/27
15   VLAN0015                         active    
20   VLAN0020                         active    
25   VLAN0025                         active    
29   VLAN0029                         active    Gi1/0/13
30   VLAN0030                         active    
35   VLAN0035                         active    
37   VLAN0037                         active    Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/24, Gi1/0/25
45   VLAN0045                         active    Gi1/0/12, Gi1/0/14
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 
Switch#

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

Can you explain the physical connectivity ?

Why does the router have an interface in vlan 45 which is the same vlan as the ASA inside interface as well as in vlan 29 ie.  the outside interface of the ASA  ?

What is the switch ie. is it L2 only or L3 ?

Jon

It's a layer 3 --- Cisco 3750

The router is doing routing for 192.168.45.x on a subinterface

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

Right, but if the router has interfaces for both the outside and inside interfaces of the ASA then it can just route around the firewall.

Is everything routed off the router ie. does the 3750 have any SVIs for internal subnets.

It sounds like the physical connectivity is amiss somewhere but I'm trying to understand what the setup is ie. you wouldn't normally have the outside interface of your ASA connecting to a router which also has an interface to the ASA's inside interface vlan.

How is the traffic flow from an inside vlan/IP subnet to the router and presumably beyond to the internet meant to flow.

You have an EIGRP network statement on the router 192.168.0.0 0.0.255.255.

If you also have the same statement on your L3 switch and you have SVIs for your internal vlans/IP subnets on the 3750 then all traffic will, as I say, be routed around the firewall.

Jon